Skip to content

[GH-1977] Added zizmor with pre-commit #1982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

[GH-1977] Added zizmor with pre-commit #1982

wants to merge 10 commits into from

Conversation

Aashish-Jha-11
Copy link
Contributor

Did you read the Contributor Guide?

Is this PR related to a ticket?

What changes were proposed in this PR?

  • Added zizmor with pre-commit

Did this PR include necessary documentation updates?

  • No, this PR does not affect any public API so no need to change the documentation.

@github-actions github-actions bot added the root label Jun 8, 2025
@jiayuasu jiayuasu changed the title Added zizmor with pre-commit [GH-1977] Added zizmor with pre-commit Jun 8, 2025
@jiayuasu
Copy link
Member

jiayuasu commented Jun 9, 2025

@Aashish-Jha-11 please fix the lint issue

@Aashish-Jha-11
Copy link
Contributor Author

Thank you for the review and feedback!
Apologies for the lint issues — this was my first time contributing to such a large open-source project, and I'm still learning the workflows. I’ve fixed the issues now. Really grateful for the opportunity to contribute and improve.

@Aashish-Jha-11
Merge branch 'apache:master' into master
ca68b83
@Aashish-Jha-11
Add zizmor pre-commit hook and fix unpinned GitHub Actions
0fb20f8 
- Added zizmor static analysis tool for GitHub Actions security scanning
- Fixed unpinned r-lib action references in r.yml by specifying SHA hashes
- Updated hook configuration to scan workflow files for security issues
@Aashish-Jha-11
Merge branch 'master' of https://github.com/Aashish-Jha-11/sedona
a97afe7
@Aashish-Jha-11
Copy link
Contributor Author

I've enhanced our CI/CD security by adding the zizmor static analysis tool to our pre-commit configuration. This addition helps protect our GitHub Actions workflows from common security vulnerabilities.

Changes made:
Added zizmor pre-commit hook with these settings:

Repository: https://github.com/zizmorcore/zizmor-pre-commit
Version: v1.9.0
Hook ID: zizmor
Configured to scan all GitHub Actions workflow files
Fixed security issues in existing workflows:

Updated r.yml workflow to use commit SHA pinning instead of version tags
Replaced r-lib/actions/@v2.11.3 references with r-lib/actions/@bd49c52ffe281809afa6f0fecbf37483c5dd0b93
Benefits:
The zizmor pre-commit hook will automatically scan all workflows for security issues, including:

Unpinned action references (which could be hijacked)
Overly broad permissions
Credential persistence issues
Other GitHub Actions security best practices
This should help maintain a more secure CI/CD pipeline for all contributors. When creating or updating workflows, the pre-commit hook will identify security issues before they reach our repository.

jiayuasu
jiayuasu reviewed Jun 23, 2025
View reviewed changes
.github/workflows/r.yml Outdated
shell: bash
- uses: actions/checkout@v4
- uses: r-lib/actions/setup-r@v2.11.3
- uses: r-lib/actions/setup-r@bd49c52ffe281809afa6f0fecbf37483c5dd0b93
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this because this commit belongs to an unreleased version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out,
Yes, this is because GitHub Actions security best practices recommend pinning to a full commit SHA instead of using version tags, which are mutable.

I verified that bd49c52... is the current commit behind v2.11.3 at the time of change, so this ensures reproducibility and avoids any tampering even if the tag is moved in the future.

Let me know if you'd prefer using a different version or want it changed back to tag-based reference. 😊

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the detailed explanation. I actually prefer the tag-based reference. Would you please change it back?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! I’ll switch it back to the tag-based reference as suggested. Thanks again for the clarification and feedback — learning a lot through this process! 😊

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jiayuasu Sir,
I'm currently facing some lint issues related to GitHub Actions. One of the errors is error[unpinned-uses], which occurs when actions are referenced using tags like @v2.11.3. To fix this, I tried using the full commit SHA instead, since the linter requires pinning to a specific version hash for security.

Would you mind helping me with the correct way to handle this? I just want to make sure I'm following the project's guidelines properly.

Thank you!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jiayuasu Sir, I'm currently facing some lint issues related to GitHub Actions. One of the errors is error[unpinned-uses], which occurs when actions are referenced using tags like @v2.11.3. To fix this, I tried using the full commit SHA instead, since the linter requires pinning to a specific version hash for security.

Would you mind helping me with the correct way to handle this? I just want to make sure I'm following the project's guidelines properly.

Thank you!

Hello @Aashish-Jha-11 you can use a config file to ignore some audit rules

https://docs.zizmor.sh/configuration/

Read up on the rules here:

https://docs.zizmor.sh/audits/

@jbampton
Copy link
Member

Hey @Aashish-Jha-11 you should read about pre-commit in the Sedona docs. pre-commit is running on the CI with GitHub Actions but pre-commit is really a git hooks framework which can also run on your local machine before pushing up to GitHub. So you can test on your local machine with the audit rules and config file

https://sedona.apache.org/latest-snapshot/setup/compile/#pre-commit

If you are not really sure how to finish this PR I can try to finish it. Since you have already done some work we can always use another PR that I create and we can put you down as the commit co-author so you get credit for the existing work.

https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors

@Aashish-Jha-11
Copy link
Contributor Author

Hi @jbampton ,

Thank you so much for explaining and for sharing the helpful links. Since this is my first time contributing to a large open-source project like this, I’ve tried multiple approaches to fix the pre-commit and lint issues locally, but I’m still getting stuck.

If it’s okay, I would really appreciate it if you could help finish this PR and add me as a co-author for the contribution. Thanks again for your guidance and support!

@jbampton jbampton marked this pull request as draft July 14, 2025 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiayuasu jiayuasu jiayuasu left review comments

@jbampton jbampton Awaiting requested review from jbampton jbampton is a code owner

Assignees
No one assigned
Labels
github-actions root
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Aashish-Jha-11 @jiayuasu @jbampton